User Contributed Notes 12 notes

There is a compatibility pack available for PHP versions 5.3.7 and later, so you don't have to wait on version 5.5 for using this function. It comes in form of a single php file:https://github.com/ircmaxell/password_compat

Please, its important that you take note of the documentation as regards the length of the password character on the database. Using password_verify to resolve a password that is hashed using the password_hash function, when the password is set to 50, it might show some malfunctioning. As the documentation shows, the lenght can change. So, to be on the safer side, set the length to 255.

If you use anything as an input that can generate NULL bytes (sha1 with raw as true, or if NULL bytes can naturally end up in people's passwords), you may make your application much less secure than what you might be expecting.

For passwords, you generally want the hash calculation time to be between 250 and 500 ms (maybe more for administrator accounts). Since calculation time is dependent on the capabilities of the server, using the same cost parameter on two different servers may result in vastly different execution times. Here's a quick little function that will help you determine what cost parameter you should be using for your server to make sure you are within this range (note, I am providing a salt to eliminate any latency caused by creating a pseudorandom salt, but this should not be done when hashing passwords):

Pay close attention to the maximum allowed length of the password parameter! If you exceed the maximum length, it will be truncated without warning.

If you prepend your own salt/pepper to the password, and that salt/pepper exceeds the maximum length, then this function will truncate the actual password. That means password_verify() will return true with ANY password using the same salt/pepper.

It might be a good idea to append any salt/pepper to the end of the password instead.